Developing a Global Understanding of Civil Society’s
Right to Privacy in Cyberspace

 By Jeffrey Aresty and Josh Aresty [i]  

Abstract

The right to privacy in the ‘online’ world is of great interest to society as a whole as the increasing amounts of business and social transactions are escalating at a rapid rate.  Relying on governmental institutions to regulate this arena is only one way in which we as a society should look to protecting our privacy and the ways in which our personal information is used.  Private industry needs to become socially aware and responsive to the growing concern regarding the use of private information they are entrusted with as part of their daily online business, however the responsibility must also fall to the individual to ensure they do not unwittingly provide personal information where it will be used incorrectly.

OUR VISION

In the digital world corporations and governments have forged ahead of civil society on the Internet, charting their own course regarding an individual’s right to information privacy.  Corporations and governments, the leaders of our economic and social systems, are taking charge by influencing the code which creates cyberspace.  On the other hand, the average global consumer, and civil society at large, has little understanding and hence little control over the structure of the internet, the programs that run it or how the information they share over the network is collected, categorized and stored elsewhere.  By organizing interested members of civil society into a virtual community we seek to inform civil society of their right to information privacy in this new digital world. We will convene a group from around the globe, using the very technology which is being used to affect our privacy rights for the purpose of discussing and developing social norms relative to information privacy.  Ultimately, through this dialogue we seek to influence corporations and governments to behave in a more socially responsible and responsive way; and in turn they can achieve a more sustainable position as trusted leaders of civil society rather than working at odds with civil society in the arena of protecting human rights.  After all, human rights protection will likely be seen as the bedrock for establishing trust between civil society and corporations and governments in the days and years ahead.

Article 3 of the Universal Declaration of Human Rights entitles each global citizen to life, liberty, and the security of person.  Article 12 says that no one shall be subjected to arbitrary interference with his [sic] privacy.  In the digital world, due to the transparency of the Internet and its increasing use throughout the world, we should be particularly concerned about our right to control who is allowed access to personal information about ourselves or our affairs; what we refer to as “information privacy”.  Not only is there potential for abuse through access to personal information, but the nature of privacy is being changed because of technological advancement.  As will be detailed below, because technology has developed rapidly and law reform has not kept pace, civil society is losing control over its own information privacy.  Corporations and governments are collecting and using our personal information to make marketing decisions, to prefer some internet traffic over others, and to track our whereabouts and activities. Unless this trend is checked, this will result in a fundamental change in the general right to privacy embodied in the Universal Declaration of Human Rights and in many government’s constitutions.  If such a change is to occur, it should certainly be done by the informed consent of civil society, after a full and honest exchange of information.

In recent years there has been an explosion of online business activity.  A cursory glance at Wired Magazine’s “Wired 40” List shows that the companies driving the global economy in the information age are those that have mastered technology, innovation and networked communication. [ii]   As corporations have offered an increasingly wide range of products and services via the internet, and as the system’s functionality has continued to improve, e-commerce has blossomed and information privacy has suffered.  Marketing companies and corporations track website visitor’s behavior: the amount of time they spend on the site, what they look at and where they go next.  This information is aggregated to produce statistics allowing for targeted marketing and more efficient service, however this type of research is more in line with surveillance than traditional market research.  The vast majority of consumers have no idea that their actions are being watched and logged - Governments are in this game too.  As activity in the digital world has grown, so has government interest in the medium.  At first, governments were primarily concerned with tracking and tracing criminal activity in cyberspace, but increasingly there are efforts to regulate and monitor internet traffic and content.  Consumers have remained relatively unaware of the vast amount of data collection that occurs when they traverse the digital world. Increasingly, governments seek to track “suspect” behavior on the internet but who defines what is suspect and what is legitimate activity on the internet is unclear.  What is certain is that traditional notions of privacy have to be analyzed in the context of a new medium and a networked world.

In response, civil society must confront corporations and governments directly and assert our right to privacy in cyberspace in an effort to protect our human rights.  Because of the eventuality that everyone can be connected in cyberspace, we have the opportunity to create a new social contract among the people of the world, a new understanding of international governance.  Connected virtually, technology gives civil society the means to conclude such a contract on a global scale and thus bring an ethically based set of values to the Internet, with full respect for human rights and democratic governance. [iii]   A well organized virtual community can tell corporations and governments that we want our privacy back. 

It is possible to construct a system in which corporations and governments can have the information they need, however, that information would be knowingly and deliberately given by civil society, not ‘snatched’ away while they aren’t looking.  This can work if civil society, acting through a virtual community, has a meaningful political and cultural voice in the decisions that affect them. [iv]   This world is not at hand, but we have the power and the possibility to work toward it, now!

Since civil society consists of every single individual it also comprises corporations and governmental institutions, as they are composed of individuals. This means that individuals will have to reevaluate their trust in corporations and governments as in the end we are all part of the same community. Right now, because of world events and breakdowns in capital markets, people have lost trust in these leading institution to speak without bias in favor of human rights.

Corporations must work to rebuild public trust.  Multinational corporations have a specific burden as they are positioned to affect social norms throughout the world. By acting collectively, corporate behavior that creates a sustainable trusting culture which respects the rule of law and global human rights rather than just seeking to adhere to minimum standard based on a theory of compliance with the rules of law can effect global change.  If corporations take the lead by setting higher standards than those required by mere compliance with current minimum legal standards and by making consumer privacy a central priority on the internet, they can achieve a sustainable position as trusted leaders rather than continuing to be mistrusted by stakeholders and consumers alike.

Government’s role must also change.  Like corporations, governments must rebuild trust with their constituents.  Today in America, we are faced with rapidly growing mistrust of the government and the government’s intentions.  As increasingly intrusive laws erode the fundamental right to privacy, citizens (and civil society globally) can no longer rely on law for adequate protection.  The legal solutions of the past cannot keep pace with the changing pace of technology.  Today’s legislation protecting privacy is merely tomorrow’s speed-bump for technology savvy programmers and the corporations that hire them.  Instead of the government playing an outmoded role of legislator, the government needs to fundamentally reevaluate the nature of the social contract it holds with its citizens and actively seek our involvement.  Through combined efforts of an active, participatory civil society, responsible corporate behavior and a redefined government role in respecting individual privacy rights, we can move towards a more balanced and sustainable global privacy policy in the digital world.  To that end, this paper calls for civil society to form a legal virtual community to develop the social norms which will drive the behavior of corporations and governments to regain our trust and promote a democratic world.

WHAT IS INFORMATION PRIVACY?  A DEFINITIONAL APPROACH

To understand the nature of information privacy on the Internet, we need to first look at Internet culture. The Internet offers a great possibility to advance and spread knowledge and thus induce progress. It has increased the amount of information that has been published. As the Internet is quite different from other media, people might get flooded with information , and more is not always better. If we read newspapers or watch television, someone else has made a pre-selection as to what we will see or hear - recipients only have to choose which kind of program they watch or what kind of newspaper they read. On the Internet, we choose what we want to read and we have to determine what is true.  Some might argue that the market will decide about quality, but this is not necessarily true. As the Internet is global there are so many different cultures, points of views and behavior patterns – there is not that ONE market that will regulate the whole information flow.

The Internet has certainly changed the ways information is produced and processed in a significant way. It has created a great opportunity we should all take part in. But there is also the other side of the coin - we have to face problems and threats that we have not known before.  The threat of the loss of our privacy is real.

Does civil society really have to give up our privacy because we go online? Many people do not fully consider the consequences of parting with their private information via the internet.  Perhaps privacy was not as great a concern 10 years ago, maybe it was not such a big deal 5 years ago, but today it is, and in another 5 years, as the Internet continues to grow exponentially, privacy will only be a greater concern.  People have to realize NOW that we are not invisible on the World Wide Web, we are living in a transparent world and have to change our way of conduct.

In order to know what changes have to be made, we can start by defining what privacy is in a digital world. And, as the Internet concerns all nations, we have to consider that there might be different normative concepts of privacy worldwide.

In order to construct a framework for understanding the normative and legal meanings of privacy, we start with the notion that privacy is one of the most talked about but least understood legal issues in the digital age.  

We can start by reviewing the role that law has played in defining privacy.  We should note that information privacy is a fundamental right recognized in the constitutions of almost every country worldwide and in many international treaties such as the UN Guidelines Concerning Computerized Personal Data Files. These provisions include, for example, the inviolability of the home and the secrecy of communication. Recent written constitutions, in particular South Africa’s and Hungary’s, also include a specific right to access and control personal data. In countries where the constitution does not provide such right (The US, India or Ireland), the protection of their citizens is provided by a mix of regulation, legislation and self regulation.

Our contention is that the power to define privacy in a digital world is better understood and addressed at the normative level; where civil society can collectively take matters into its own hand.  Since privacy is the power to control what others know about you and to partly determine the entry rules for your own private space, each of us holds that power in our own hands.  Further, online privacy can be defined more clearly as a user’s expectation that their online activities, transactions and preferences will be kept private, not used, misused or misrepresented or otherwise used in unacceptable ways.  By controlling access to our personal information, civil society will no longer have to rely on a corporation through its privacy policies, or governments, through law, to protect us.  After all, corporations have shown a desire to profit from our personal private information by collecting marketing information and selling that to other interested parties.  Likewise, the government has continued to encroach on personal privacy both in the analog as well as the digital world through increasingly invasive legislation.  Through our collective action, civil society can have a voice in how our personal information will be collected and used.

THE NEED TO PROTECT OUR PRIVACY

Our right to privacy in a networked economy is a fundamental balance against the power wielded by corporations and governments. So why it is often taken for granted?  We assume that protection of our privacy is the default standard. But this is not true - in most cases, by giving your phone number, credit card number or home address to a company in the US, you implicitly agree that they can use your data until you explicitly opt out. [v]

We all know what a privacy policy is. But do we really care?  Many of us ignore the privacy policy statements, which nowadays can be found on almost every website. Is it because we want to save time or just because we feel that we have lost the battle for our privacy on the Internet and do not care that our private information is being shared?

Many people purchase items on the Internet although they know that their data is being collected, for what purposes they do not exactly know. The reason for it is quite obvious. For customers, price, customer service, terms of payment etc. are the most important cues. If they had good experiences with an online retailer they will probably go on doing business with them, even  if they sell their address to other mail order companies, something many privacy policies explicitly permit.

But too many people still do not observe the danger that originates in disclosing private information. They do not see the radical increase in surveillance and its consequences and therefore willingly part with their most private information. In a 2003 survey, for example, 60% of all citizens in the EU were concerned about their privacy. [vi] The problem is that if we are asked directly whether we have a problem that our data is being collected or not, most of us would say that it is a problem. In reality, however, we often do not think about it, when clicking on the YES I AGREE button, accepting unwittingly privacy policies that are really “permission to market” agreements. So we think one way and act another.

This is a major problem for civil society.  We must fight for our privacy. We should be aware of the fact that willing giving access to our personal data is not only annoying but also a potentially dangerous trend.  Receiving tons of junk mail and telemarketing calls do not harm us, maybe they only bother us, but what about data related crime, like credit card fraud and identity theft? Do we really think that these things will never affect us?

The fact is that the government as well as the private sector must realize that there are no longer technical barriers to build up a Big Brother Regime portrayed by George Orwell. The most terrifying moment is when the parallel development of technology, law and politics – their interplay of force gets out of hand and civil society loses its chance to have a say.  “The surveillance monster is getting bigger and stronger by the day.” [vii]

Most computers are programmed to store and track usage data. As more and more computer technology is used in our daily life, more and more of our activities leave behind “electronic footprints”. We have to look at this as a whole and see the overall impact on privacy; it is not the individual pieces that will give us an impression of what is going on at the moment. A single ‘footprint’ may never harm anybody. The problem is, however that all the information of innumerable different sources can be combined in order to recreate the nature of a person the same way as following him or her day and night with a video camera. Data collection represents an enormous invasion of privacy, but until recently, our privacy has been protected since the information has remained disaggregated across many different databases.  With aggregation of the information, our privacy disappears.

The public either may not really care yet, or does not understand the threat.  If this attitude does not change we are at risk of losing our civil liberties.  In the early nineties information privacy was seen largely as a slightly obscure civil liberties issue driven by fanatics. At that time it was not that obvious in which direction we were going. Nobody assumed that the use of the Internet would explode that enormously. With the technological developments of the Internet, payment systems, encryption, biometrics, data mining, loyalty cards and the shift in marketing practices towards customer relationship management, privacy has since become a major issue.

In an ideal world, companies selling goods online not only have to treat our personal information with fairness and integrity, they also have to show us that they are doing so. This is the only way to promote trust between a customer and a company and thus increase transactions on the Internet. Companies have to communicate explicitly about data collection and use, they have to express why they collect this information and if and with whom it might be shared.  Government need to follow suit by clearly enacting rules of law that respect privacy and everybody in civil society has to realize that privacy has become a major issue. We have to make obvious that everybody is at least to some extent responsible if he or she wants to part with certain data. Every single user has to take care of his or her own privacy. As soon as society understands the consequences, people will change their attitude towards giving away private information without a fair exchange. Creating awareness amongst civil society is the challenge we are faced with.

DATA SURVEILLANCE BY THE PRIVATE SECTOR

Every activity of a customer not tracked and recorded by the seller is like money left on the table. Why should corporations spend huge sums for surveys, polling and questionnaires if it is much easier to place cookies on customers’ hard disk or collect the information from the customer  by asking  them several questions before letting them  continue with  their order? [viii] Our ZIP Code, for example tells a lot more about us than just where we live. By revealing our ZIP Code companies might also get information about the average income, age, race, population density, education etc. of the area we live in. We willingly part with private information when filling out orders forms or typing our delivery address.

All this happens in a subtle manner. When you buy things in a store you would definitely notice if somebody walked behind you making notes, you would even notice if there was a camera watching you. While shopping on the Internet, however, you are not really aware of what happens.

This gathering of data from corporations can lead to more junk mail, but sellers could also use the information to provide different levels of service or even different prices. If you go to a store every day and people know you, isn’t it likely that they will render you a better service?   Merchants justify the practice of collecting data because they want to reward their best customers.  But you cannot compare the face to face data collection with the anonymous collection of data on the internet.   What is meant here is that if corporations decide only by the information which is available to them on the Web if you are a good potential customer or not, they will seek to gather as much information as possible.  Though you have never done business with a company, they might grade you in a certain way.  And it is not only shopping that is being monitored, think of much more private things like research, chatting, seeking support, debating political issues – things that might reveal very private information about people’s interests, lifestyles, thoughts, habits, political conviction and disposition.  With Gmail, Google offers a whole gigabyte of storage space.  As consideration for this “free” service, they will analyze every word of all incoming and outgoing emails in order to post “appropriate” advertisements. [ix]    Gmail highlights the growing confrontation between protecting one’s privacy and enjoying the customized features and unique services that more and more web companies are offering.  The question now becomes: what is more important to you – more free storage space, with the knowledge that some software is scanning all of your private emails, or your privacy?

SURVEILLANCE BY THE GOVERNMENT

Under The Privacy Act of 1974 the US government was banned from maintaining data on citizens who are not targets of investigations. But this can now easily be bypassed. The FBI can simply purchase information collected by the private sector. There are companies involved called data aggregators, such as ChoicePoint or Acxiom, who compile detailed databases on individuals and then sell this information to others in order to help private and governmental organizations to reduce the risks of fraud and mitigate risks. [x] . Airlines have also provided the NASA and the FBI with Passenger information. [xi]   Further, The US and EU have recently agreed to a more formal agreement regarding air passenger data sharing. [xii]

Does the ability to enact laws limiting privacy make the government an even larger threat to our privacy, even more so than the private sector?  Government has the power to erode our liberty. This has been demonstrated in the USA since the terrorist attacks of 9/11. Six weeks after 9/11, the Congress passed the USA Patriot Act, which is a revision of the nation’s surveillance laws. The Patriot Act expanded the US government’s authority to spy on its own citizens in the name of national security. The gloomiest fact is that the government reduced checks on these powers, such as judicial oversight.

Is 9/11 an excuse for the government disturbing our privacy in this way? It has not been proven that a lack of individual surveillance contributed in any way to the attack. If we take a closer look at the cause and effect ratio we can see that there is no clear connection between fighting terrorism and the new legislation. Is it, for example, necessary to have access to peoples reading habits in libraries? It is scarcely imaginable that terrorist will borrow relevant literature from their public library. One might even argue that the government used the attacks in order to roll back unwanted checks to its powers. [xiii] Community surveillance will be much more effective, working with government surveillance if there is trust.

Since Congress  vetoed the Pentagon’s Total Information Awareness Date Mining Program, a state-run equivalent is trying to be built up. Matrix (Multistate Anti-Terrorism Information eXchange) combines information from government databases and private companies. It then makes this information available to government officials combing through millions of files searching for anomalies. [xiv]

It is not only data collection which should alarm society. Also the surveillance of communication is questionable.  Consider the FBI’s ‘Carnivore’ program - it is supposed to tap into the email traffic of a particular individual. We have known technologies like telephone wiretapping for decades, which is almost the same. The stretch however is on the word almost. Whereas in the case of telephone wiretapping, a FBI agent listens to one line, Carnivore could make it possible to troll through all traffic on an Internet Service Provider to which it has been attached. (Architecture of the Internet) The only reason why this does not happen is software preventing it. Now guess who writes the software – the government itself. According to the ACLU report, the FBI has refused to allow independent inspection, regarding this clear conflict of interests. [xv]

It is perfectly clear that not only the volume of tapping but the potential for abuse is staggering. The FBI, however, states that information being filtered by ‘Carnivore’ will never be seen by a person, as it will be vaporized after being checked in binary code for 1 second, but we do know that there still is a potential of misuse. Our world has seen many useful things that have been abused for malicious acts in the end and one of the most evident examples is nuclear fission. [xvi]

The government is trying to bring disparate sources of information together in one view. We then cannot believe anymore in the tradition that the police conduct surveillance only where there is evidence of wrongdoing. Such a system is supposed to protect the citizens from further attacks by trolling through the personal lives of us all.

Living in a surveillance society you have to think of the ability to lose your employment or not getting insurance, with every click online. Though there might still be a right of free speech we will not be able to use it anymore, as every word, in the worst case quoted out of context, might be reported to the government. [g1]   [g2]  

WHAT CAN BE DONE TO PROTECT OUR PRIVACY IN CYBERSPACE?

To better understand how to protect our privacy in cyberspace, we have to think of the Internet in different layers. At the bottom level we have the hardware that makes up the Physical Layer.  It consists of computers, cables and wires. Above this layer we find the Logical Layer, which is the Code of the Internet like Software and Standards – Operating System, IP and TCP. Eventually there is the Content Layer which is the information as message, meaning - the input of every user.

As a first step to solve any problem related to the Internet we have to find out which layer is affected. This is inevitable to analyze and map the problem in order to get a better understanding of the dynamic. For example if privacy is invaded due to harmful speech - this is a problem that cannot be solved by a change at the physical layer – instead, the content layer and therefore the users have to be addressed. This layer thinking is important to find the best point of entry.

As with any problem, there are different approaches to solve it. While some of them are quite easy to implement, others cannot be realized that easily.

SIMPLE STEPS – SOLVING THE PROBLEM OURSELVES

A market has two parties. Buyers and sellers. Either side can try to help solving the problem of privacy intrusion with simple means at their own disposal..

SELF HELP - Buyers

If we hear the word “danger” we also think of protecting ourselves against it. The first thing we think of is self help. If we carry a suitcase of money with us we try not to show others in the streets. It is the same with privacy, people should protect their personal data; there are some easy ways to do that. Protecting our personal data by self help would affect the Content Layer - as we decide on the information input.

It is for example quite easy to select a high level of security in your Internet Browser. Your Computer will automatically refuse to accept cookies - however, there exist sites where you have to accept a cookie before entering it - but at least you will know that a Cookie will be installed on your hard disk and you can decide if the site is worth it. Another possibility is to buy mostly inexpensive software that allows you to surf anonymously without your IP Address being shown and stored this will also help to protect you from being observed all too much. A third method is also very simple but very few people know about it. You can opt out and protect your personal information from being transferred. Go to the Double Click Website, which is responsible for many of the pop up ads and notify them that you do not want to get those ads.

If more people become aware of what is going on, they will probably change their habits and try one of the above mentioned simple methods to protect their privacy while acting on the Internet.

SELF REGULATION – Sellers

The problem however, is that as we become more aware of the surveillance activities of corporations acting in the private sector, we will not trust them anymore. Due to high profile betrayals (Enron, WorldCom, Arthur Anderson), widespread public mistrust of organizations already exists, just as much as mistrust of governments who were supposed to protect us against these betrayals. What our society needs to operate fairly is trust in our marketplace: people want to trust the ones who they are entering an agreement with. And as we all should know trust is built upon mutual understanding that each party will respect the agreement reached. So if someone buys goods on the Internet, it is not likely that they will trust the seller immediately and entirely.  One of the reasons is that we still trust people we can look at more easily than we can trust invisible partners. In order to change this, companies have to take voluntary steps to become more trustworthy.  If companies want their customers to do more eCommerce they have to make sure that customers can rely on their invisible partner. It is the companies turn to dispel the engendered mistrust. Companies should not only comply with the existing law, they should have an ethical demand to satisfy their stakeholders in any way.  Ramon Mullerat, former president of the Council of the Bars of Europe,  goes further, claiming corporations have a duty not only to profits but to stakeholders, sustainable development, and human rights. [xvii]   Ella Joseph expands the contrast,

“profit is naturally the lifeblood of a business, but would people want to work for a company that deliberately set out to exploit its workers for maximum productivity at minimum reward?  Would consumers want to do business with a company that was abusing human rights down its supply chain or polluting their neighbor?” [xviii]

Business wants the Internet. Business wants to conduct trade. Traditionally, the government provided regulations for commerce. It promotes rules for predictability enhances the stability and expectations of the transaction and provides for means that remedy breaches. Unfortunately, for the kinds of global transactions the Internet requires, there has been no place where commerce can turn for an effective venue for the timely development of rules that allow for eCommerce to expand.

There are several mechanisms to implement the idea of self regulation. The first method is the creation of Privacy Codes of Conduct. Companies for example can develop policies that are appropriate to their consumer base and also change their practices if customer preferences change. Consumers on the other hand are provided with knowledge about how a company plans to use data and can choose with whom they want to do business based on their own preference. Secondly, there is the possibility of contractual agreements by using given clauses existing for different contexts. Another method is the EU “Safe Harbor” between buyers and sellers. US organizations who certify to Safe Harbor will assure EU companies that the US company provides adequate privacy standards.  The “Safe Harbor” had been established to stabilize business between the USA and the EU in terms of the different approaches toward privacy.

The industry is gradually responding to the necessity of self-regulation. Privacy policy use in the US grew from 14% in the late nineties to 90% in 2000. [xix] A rapid growth in third party enforcement mechanisms, like TRUSTe and BBBOnline can be observed. These companies are auditing services which assure that privacy practices, regarding the gathering of information over the Web are within compliance. That way, consumers can notify the auditing services if private information has been misused. Companies will pay a small fee for getting the “seal”. Customers can then be sure that the company is being audited by an independent third party in regular intervals. The independence is kept in a way that only a very small fee will be charged. This should nullify some peoples’ objection that it is again all about money and the auditing companies would sell themselves. Unfortunately only a minority of all websites are using this type of auditing service.

Self regulation does not mean that there is no law. It also does not mean that the consumers are not protected at all and that rights cannot be enforced. Self regulation never means that companies are not regulated.  It does, however mean that regulations are more flexible, which is inevitable due to the increasing development of information technology.  It means further that companies and users are empowered to make choices.  And, it means that governments and other alternative institutions must provide for the enforcement mechanisms for bad actors.

One other way that the industry can regulate itself is by effecting changes at the “logical” layer of the internet.  The World Wide Web Consortium (W3C) develops technologies to lead the Web to its full potential by helping to enhance trust between consumers and sellers.  P3P (platform for privacy preference project) for example was developed in order to enable websites to express their private policies in a standard format. On the other hand, if P3P is in wide use we will no longer have to read boring and lengthy privacy policies on each website we visit.  Instead software, built into our Web browsers, will enforce our privacy right automatically and far more effective than we could ever do on a case by case basis. Your browser will automatically check if the website you visit supports the P3P Standard and if it fits with your preferences. You can choose to avoid sites that do not support the standard or do not match; if you choose not to avoid those sites, you can at least be more alert what information is going to be collected and for what purpose.

One problem with P3Pis that it does not provide any enforcement of the privacy practices that are promised in the privacy policies. For P3P to be useful it needs to be supported by countries with a coherent privacy law and enforcement mechanism.  For example, the Federal Trade Commission in the US has stated that it will  take action against businesses that do not adhere to their own privacy statements.  Also if companies are members of Truste or BBBonline, customers could also notify the auditing services in case of data use not complying with the companies privacy policy.

But P3P does not protect consumers from illegal activity such as Internet eaves-dropping. We know that technology alone cannot solve all problems associated with privacy online. Every user of the Internet must realize that we are not alone on the Internet, only because we sit alone in front of our computer. This does not automatically mean that we are not being monitored.

While P3P does not solve all privacy problems appearing when using the net, it does at least help to disclose what is going to happen to our private information and it helps people decide if they really want to give away certain data for certain purposes. And if successful, P3P might help persuade those consumers to do business on the Web, who have been too anxious to use the Internet due to privacy concerns.

Self help as well as self regulation will certainly maintain the whole process of protecting our privacy and building trust, but there have to be other methods as the abovementioned ones would assume that the market regulates itself. But due to monopolies, quasi-monopolies and oligopolies there will always be a market distortion, particularly as we talk about the Internet as a global marketplace.

FOUR MODALITIES OF REGULATION

We have to find additional ways to deal with the problem. Lessig mentions four modalities of regulation in general. [xx] We should try to find the best way to combine these approaches in our case. Though we know that nothing works one hundred percent, neither in the ‘real world’ nor in cyberspace, the following methods have to be combined and thus might make operating on the Internet more secure.

FIRST APPROACH: LAW

The most common way to  regulate behavior is law. We are used to thinking that law always protects us as it forces people to act in a certain way by providing for punishment. But does law really apply to the Internet? It is not at all true that law does not apply to the Internet. Instead it is more possible that too many laws from multiple jurisdictions apply and are in conflict with each other. Thus it is quite difficult to sort out compliance and enforcement obligations of either the relevant governing entity or user. As we all know: too many cooks spoil the broth.

As a result of the lack of any single or common authority setting laws, there has been an established  consensus of laissez-faire. This might have been sufficient in those times where the Internet was only used by a small number of people, but some years ago we came to a turning-point  and the laissez-faire approach came under increasing pressure as the possibilities of the Internet  were explored further.

There are currently two models to protect privacy by law:

First of all we have the Regulatory Model adopted by the European Union, Australia, New Zealand, Hong Kong, Taiwan, Eastern Europe and Canada. In this case, a public official enforces a comprehensive data protection law - compliance with the law is monitored and alleged breaches are investigated. Most of the states which use the Regulatory Model embrace human rights as fundamental and therefore consider it to be best protected by comprehensive legislation.

In 1995 the European Union enacted the EU Directive on the protection of personal data 95/46EG, due to the shortcomings of such laws in member countries and the compelling adoption of broad privacy laws in each Member State. The Directive on privacy and electronic communication 2002/58EG is even more specialized. It is a sector specific law which takes account of the fast development in technology. It not only imposes an obligation to the Member States to provide citizens with a wider range of protection against data abuse, but also ensures that personal data regarding EU citizens will be covered by law when it is exported and processed in non-EU-countries. This imposes important burdens on US companies and companies from other countries that collect personal data online.

Many other countries have enacted similar laws, for one or more of the following reasons:

·         To remedy past injustices regarding personal privacy under previous authoritarian regimes, like countries in South America, Central Europe and South Africa.

·         To promote electronic commerce - This is the reason why Canada or some countries in Asia adapted their privacy legislation; they realized that many people felt uneasy with their personal data sent round the world.

·         To ensure that law is consistent with the EU directive - Some Central or Eastern European Countries hoped to join the EU; the 15 new countries that joined the Community on May 1, 2004 for example had to make sure that they comply with the legislation of the European Union. Other countries like Canada are adopting new laws in order to ensure that trade with the EU will not be affected.

The second method is used by countries such as the US, PRC and Malaysia, that have avoided general data protection rules in favor of various Sectoral Laws governing for example financial or medical privacy. This approach provides for a patchwork of statutes and case law, with no coherent privacy law. The problem here is that protection often lags behind, and due to the specificity of the rules and new legislation has to be enacted with every new invention of technology.

There are some obvious reasons why the US adopts the Sectoral Law approach. The first one is that, in contrast with the citizens of the EU, many American people believe in a free market and thus are suspicious of every government intrusion. Also a comprehensive legislation like the EU directive would potentially undermine speech that is now protected by the first amendment. All the Sectoral Laws that have been enacted are tailor made in order to not infringe the first amendment.

In theory privacy laws might sound like a good idea, as our personal information is at a much greater risk today than some years earlier. The problem is just that you cannot easily transfer laws made for the jurisdictionally based real world into the global realm of cyberspace. Those countries which believe that law alone works misunderstand the global nature of cyberspace.

Globalization tells us that legislative and executive powers are increasingly limited.  Civil Society is realizing this limitation. Governments are often not capable to meet the citizens’ requirements for safety and pro­tection since their power stops at the border of the national territory except in exceptional circumstances.

Countries’ governments might provide for general rules controlling living together in the real world, but they are not able to solve the problems arising through globalization without a method for achieving consensus. Therefore we need international consensus, and as we do not have an international or supra­national legislator for the Internet, global corporations or individuals using the World Wide Web have to find their own guidelines for data protection to support or complement lawful methods.

SECOND APPROACH: SOCIAL NORMS

Social norms are the outgrowth of aggregate community behavior.  (Think macro not micro).  If every part of a whole community changes its behavior the whole community will change, too. Chat rooms, online dictionaries, and some blogs provide a new means to facilitate communication between people.

If we create a norm that corporations and governments do not use our private data without permission or justifiable reason, and everybody thinks of it being “normal” - we could change a lot.  Corporations that do not comply with these norms would be avoided. [xxi]   We can buy our books from another online book store if we do not like the way one company is using our private data.  Ideally, corporations would maintain socially normative behavior without pressure from civil society,however, this has not been the case historically.  Corporations often seek to comply only with the minimum legal standard, hence, it requires collective action of civil society to encourage more ethical and more satisfactory corporate behavior.

THIRD APPROACH: MARKETS

Markets regulate conduct, too.  When Lessig talks about markets that regulate cyberspace, he is talking about prices [xxii] .  Fees for example constrain access to the Internet and therefore determines who uses the Internet.  In the case of G-mail, users can voluntarily get free storage of their email in exchange for giving up some of their privacy.  What future market inducements adequately reward privacy intrusions is an unknown.  Yet, G-mail has started down this road, and the market will ultimately decide its fate. 

FOURTH APPROACH: ARCHITECTURE - TECHNOLOGY

This method can be quite effective but it is complicated and expensive. Complicated, as we would first have to establish an institution which monitors or maintains the architecture. Expensive, as everybody will have to comply with the newly built architecture. Changing the architecture means that there is no other possibility than to comply with the privacy rules built into the code. This is the major difference with legal regulation. Companies, citizens or governmental institutions can try to avoid complying with the law.  The architecture, however, determines how you operate.

We can think of two different models of architectural change that can enhance the enforcement ability of any potential new system, both would involve publicly aggregating everyone's data under a privacy organization. In the first model, this organization would be completely closed to outside users (though an individual would be able to edit his or her own information). When on the internet, a user would buy things using an ID number from this organization. When the company sends a package, FedEX or another approved delivery agency can access the physical address from the ID number alone.

The second model would be a completely open system, where any user can look up any other person's information. By making it all public, at the very least the users would have a strong incentive to make sure their information is correct. It would also eliminate the value of such lists of information; so, there would no longer be a market for data aggregators.

Problems may arise when it comes to establishing the institution that governs this model. To whom do we confer the power to enforce our right  to privacy? ICANN for example has the sole power to deal with certain Internet related tasks.  Should we establish another institution that governs the architecture of the Internet? First of all, you cannot compare Domain names and IP Addresses with privacy. There has always been somebody to regulate this matter, think of Jon Postel or IANA, whereas no superior institution has dealt with the matter of privacy. Besides, the rest of the world certainly will not agree to establish another US influenced institution like ICANN, or another private institution that is closely connected to one government. On the other hand, supranational institutions like a UN body that controls privacy are sometimes not able to act quickly enough, as we have lately seen. The challenge will be to create an institution that is by and large accepted by the global community, that means acknowledged by governments, corporations and private individuals. By working through a virtual community, the possibility of moving forward and developing an architectural solution becomes real. We can ensure that an effective mechanism for protecting privacy will be developed and then implemented as part of the basic structure of the internet.

STARTING POINT TO SOLVE THE PROBLEM [i3]  

The aim of protecting data, with whatever method, has to be reached with three strands:

a. Knowledge: the right of individuals to be informed who keeps which personal information, for what purpose and how long.

b. Control: the individual has to have some control over what data is kept and how long.

c. Safeguards: Safety measures to ensure appropriate confidentiality, availability, integrity and security of personal information

The Internet is a global marketplace and therefore needs unique, global solutions. As technology, law and politics can erode our privacy, global civil society has to take countermeasures. In order to be successful it has to involve politics, law and technology, but we do need to take steps ourselves to control and regulate surveillance and bring it into conformity with our values.

A blended approach of architecture, law, norms and market pressures serves civil society best.  We cannot just rely on corporations’ privacy policies and third party institutions scrutinizing them. The logical layer of the Internet has to be changed, it should to some extent be impossible for corporations and the governments to intrude upon our privacy with out civil society’s informed consent.

Also, individuals have to take personal responsibility for our own privacy. We need to be willing to share basic information but at the same time get empowered to take control of our personal private information. This will certainly affect the market. Corporations that do not comply with these newly set up social norms will be boycotted. To make this work we need, as explained earlier in this paper, an institution that enforces our right on privacy. This is a part law, part market, part social norm based solution.

WHO CAN HELP DEFINE AND ENFORCE OUR “RIGHT” TO PRIVACY?

“Technology is shifting information and decision-making power out of the hands of a few elites sitting in capitol buildings and back into the hands of citizens” (Colin Rule) [xxiii]

We understand that there is a need for a new kind of institution to help define and enforce Civil Society’s right to privacy. This institution can not  abide by a particular global Internet Law – as there is none. So, if we cannot be sure that our legal system provides for an adequate definition and protection of privacy, we hardly can rely on its enforcement by states. Isn’t it thus self-evident that we better trust in resolutions outside the tradition of state jurisprudence?

Virtual communities, as transparent communities of civil society, are the engines of international law in the network economy through their power to create normative behavior and act collectively. [xxiv]   By allowing individuals to choose to participate only in those social aggregations which they trust, a virtual community emerges for openness and fair dealing. The transparency of the Internet permits the rules set by community organizers to be monitored by the community members in much more direct way than is presently available in the analog world.  Successful virtual communities develop trust by providing accurate information, making full disclosures of all rules, and keeping constant feedback flowing between organizers and members. By organizing interested members of civil society into a virtual community we seek to make civil society aware that they have to take care of their privacy in this transparent digital world. How can this be done?

A new system which combines dispute resolution and information technology, online dispute resolution or ODR is a possible answer. ODR Technology  is being used to fashion participatory and deliberative democracy. [xxv]   By using ODR tools (online discussions, convening, facilitation and document sharing) to organize interested members of civil society into a virtual community, we can ensure a clear and open process and let the technology support the democratic process. By using ODR technology, it is possible to convene a group from around the globe to discuss and develop social norms relating to information privacy.  Through a platform that enables synchronous and asynchronous communication and real time collaborative work, civil society can coordinate and come up with a common understanding about information privacy. Through this process social norms and codes of conduct will be created which will impact both corporate and government behavior. The goal is to use ODR technologies to provide the opportunity to involve stakeholders in the public policy process from around the globe who traditionally have not had a voice in these discussions.

In addition, ODR technology, which is primarily used for dispute resolution can also be fashioned as a global enforcement mechanism for every dispute that arises concerning privacy on the Internet. But how is this going to be happen in light of sovereign concerns over giving up the judicial review process? Can anything be learned from the global ICANN ODR process?  ICANN enters into a contract with everybody wanting a domain name. This contract determines that possible disputes are being solved by ODR. Therefore we have a combination of architectural and legal approach, as the contract could be legally enforced.  This does not work in our case, since the institution governing our right to privacy does not enter into a contract with anybody, or does it?

Ultimately it will be for civil society to decide what type of institution (or lack thereof) can best preserve the right to privacy.  The solutions we have suggested are by no means sacred, yet they serve as a starting point for the discussion to follow through virtual legal communities.  Through starting this global privacy project we hope to take the first step in moving civil society towards a more comprehensive and global understanding of privacy rights in cyberspace. We would like to call upon ODR experts to consider these possibilities and to design a process to make this happen.